You assume you have a finite set of prime numbers, in this case we'll say we have found every prime in the range of 0-1000, and the primes are denoted as p1, p2, p3,...,pn where pn is the last prime in the set
Then you multiply all of those primes together to get a large composite number, we'll call x
We know that any prime in the set of 0-1000 can divide this number and give us an integer result since x = p1 * p2 * p3 *...* pn (Thanks to formal definitions of divisibility)
The contradiction to the original assumption that only a limited number of primes exists happens when we add 1 to the composite number. so y = x + 1
Since we made a composite number of ALL primes, then there must exist some pi (i is the index number) that can divide y, right? (again due to formal definitions of divisibility)
However this is not the case since we know y = x + 1 = (p1 * p2 * p3 *...* pn) + 1, thus there exists no pi in our original set that divides y, so y must be a prime.

You can do this again, and again (this is called a proof by induction) for every new prime you find (like c, d, e,...etc),
Therefore there are infinitely many primes.

I know this was posted a while ago, but I hope it helps.

elite_garbage_man fucked around with this message at Dec 18, 2015 around 06:14

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?

I think LastPass is the best choice for personal use. Make sure to enable 2 Factor Authentication via Google Authenticator or something.

Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.

I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people.

In all honesty my main use for a password manager is to easily track unique, complex passwords for each online account I use. I'm happy to make the trade off that someone stealing one of my devices and managing to log into it might not get asked for a second factor of authentication.

I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people.

Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.

Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.

e: this is when I had it set to not work offline

That's the "locally cached credentials" case. If it is important to you that data not be accessible without authenticating, don't cache it locally.

Lastpass has had too many dumb security issues. Use 1password or KeePass.

KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.

KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.

Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.

Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.

Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.

Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.

Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.

Isn't the entire draw of cloud-based password managers multi-platform support? I've thought about going back to just KeePass from Lastpass, but I figure if the biggest threat to my Lastpass info requires somebody have local control over my computer I'm hosed either way.

Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.

Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.

If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.

KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.

I have no idea what you're talking about with KeePass. I've used KeePass2 for years now, and I've never set up a database. It asks you how many PBKDF2 (I think) rounds you want to use but also provides a helpful "optimize for 1 second" button.

I just throw it in a Dropbox after that. Nowadays it can even helpfully merge changes if its been modified elsewhere since it was opened. I use it on Linux with Wine, there's freeware Android implementations, etc.

SeaFile is probably better than Dropbox from a security standpoint.

Paul MaudDib fucked around with this message at Dec 21, 2015 around 19:58

I feel like if you think LastPass is insecure "just throw your entire password DB into Dropbox!" isn't really much better...

Please explain how you have come to this conclusion. You're (mostly) in control and provided that you don't set your KeePass file to some dumb password, putting it on Dropbox or some other hosting service is far better than trusting that the algorithm used on LastPass isn't being hobbled by any inadequately written software. Hell, you can combine it with a keyfile if you're even less trusting of this method.

You can at least inspect how KeePass is treating your passwords whereas you're trusting a blackbox with LastPass that has had a number of problems in the past five years.

Please explain how you have come to this conclusion. You're (mostly) in control and provided that you don't set your KeePass file to some dumb password, putting it on Dropbox or some other hosting service is far better than trusting that the algorithm used on LastPass isn't being hobbled by any inadequately written software. Hell, you can combine it with a keyfile if you're even less trusting of this method.

You can at least inspect how KeePass is treating your passwords whereas you're trusting a blackbox with LastPass that has had a number of problems in the past five years.

Last time there was a discussion about this the overwhelming opinion from goons was that Dropbox was a security joke and your data might as well just be publically accessible.

Then again that conversation was just as dripping with toxic condescension as this thread has been so maybe I missed something.

They're not advocating putting your passwords on dropbox, but to use it to hold the encrypted container that KeePass needs so you can keep it synched between devices. As long as you feel that the container is secure then the risk you're taking hosting it on dropbox is minimized by rotating passwords.

And we're going on about Dropbox being insecure because someone could read the password file on your system? At least if you're saving the KeePass (or 1Password) file via Dropbox that you don't have to be as concerned about someone modifying the application to allow others to read the data. The type of attack on Juniper's VPN source-code is far more likely with LastPass than with KeePass to say the least.

If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.

You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much.

KeePass doesn't cost money and works on virtually every platform out there. It works great with Dropbox and works fine for autists and non-autists alike.

KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like trusted devices and offline access to a cached db that seem like anathema to you and Wiggly Wayne are incredibly valuable to users.

KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people.

My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service.

You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much.

Lastpass is explicitly made to have your vault stored on more than one device, with them having a copy. There is more than a single machine at risk, and users are not the ones who should be trusted to set security policies. This is why secure defaults are increasingly becoming the norm as it turns out no one reads the manual or understands the risks involved. If you're going to say I'm "inventing fake concerns", then back up your "most users" statements over the last page as I think one of us has a stronger basis for reality than the other.

quote:

KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like offline access

"Just Works" isn't a security concept. You may like those features but that doesn't make them the main reason a user uses software - accessibility and prominence in the landscape are major considerations. Consider how often you've pushed LastPass without finding out if a user needs to have vault access on more than one machine. Is the user making an informed decision across these products, or is their decision making impacted by other peoples' biases?

My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service.

Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.

"Just Works" isn't a security concept. You may like those features but that doesn't make them the main reason a user uses software - accessibility and prominence in the landscape are major considerations. Consider how often you've pushed LastPass without finding out if a user needs to have vault access on more than one machine. Is the user making an informed decision across these products, or is their decision making impacted by other peoples' biases?

Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.

Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.

They absolutely should not and security professionals do talk to each other about security products - they're users too.

quote:

Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.

Well no poo poo, the problem is at no point have you backed up that the average user needs this particular feature set - or that leaving a file in a dropbox folder is requiring technical proficiency of an autist. For all my fake concerns, you aren't showing any of yours to be real.